b'                           Office of Inspector General\n                          Corporation for National and\n                                   Community Service\n\n\n\n\n      INDEPENDENT AUDIT OF THE\n    CORPORATION FOR NATIONAL AND\n         COMMUNITY SERVICE\'S\nFISCAL YEAR 2003 FINANCIAL STATEMENTS\n         MANAGEMENT LETTER\n\n         Audit Report Number 04-02\n              October 31,2003\n\n\n\n\n                                           Corporation for\n                                          NATIONAL w\n                                                                       n\n\n\n                                          COMMUNITY\n                                          SERVICE-\n\n\n\n\n                   Prepared by:\n\n           COlTON & COMPANY LLP\n        333 North Fairfax Street, Suite 401\n            Alexandria, Virginia 22314\n\n\n\n\n This report was issued to Corporation management on January 20,2004. Under\n the laws and regulations governing audit follow-up, the Corporation is to make\n final management decisions on the report\'s findings and recommendations no\n later than July 20, 2004, and complete its corrective actions by January 20,\n 2005. Consequently, the reported findings do not necessarily represent the\n final resolution of the issues presented.\n\x0c                               Office of Inspector General\n                     Corporation for National and Community Service\n\n                                 Independent Audit of the\n                    Corporation for National and Community Service\'s\n                Fiscal Year 2003 Financial Statements - Management Letter\n                                    Audit Report 04-02\n\n\n\nIntroduction\n\nIn accordance with the Government Corporation Control Act (31 U.S.C. $9 9101-lo), the Office\nof Inspector General (OIG) engaged Cotton and Company LLP to audit the Corporation for\nNational and Community Service\'s fiscal year 2003 financial statements. Their audit, conducted\nin accordance with government auditing standards, resulted in an unqualified opinion on the\nCorporation\'s financial statements. Audit Report 04-01, Audit of the Corporation for National\nand Community Service S Fiscal Year 2003 Financial Statements, describes the basis for the\nopiniofi as well as a reportable condition: the Corporation\'s monitoring of grantee activities.\nThis reportable condition was not considered a material weaknesses.\n\nDuring the engagement, the auditors also noted certain matters involving the control over\nfinancial reporting and other operational matters that were not considered material weaknesses or\nreportable conditions. This report discusses these conditions and includes recommendations for\ncorrective action.\n\nThe OIG is responsible for evaluating the procedures performed, monitoring the audit\'s progress,\nand reviewing the auditor\'s work papers supporting the conclusions in this report. Our review of\nthe auditors\' work papers disclosed no instances where Cotton and Company did not comply\nwith, in all material respects, generally accepted government auditing standards.\n\nWe provided a draft of this report to the Corporation for review and comment. The response is\nincluded as Appendix A. In the response, the Corporation agreed with the recommendations and\nstated that corrective action has been completed on many of the conditions.\n\x0c                   INDEPENDENT AUDIT OF THE\n     CORPORATION FOR NATIONAL AND COMMUNITY SERVICE\'S\n FISCAL YEAR 2003 FINANCIAL STATEMENTS - MANAGEMENT LETTER\n\n                                       Table of Contents\n                                                                                           Page\nTransmittal Letter\n\nAppendix A - Recommended Improvements\n\nGrants Management                                                                           1\n\nA. 1. Office of Management and Budget (OMB) Circular A-1 33 audit findings are not\n      resolved in a timely manner\nA.2. Grant closeout procedures do not ensure that projects are closed in a timely manner\n\nNational Service Trust\n\nB. 1.   Discrepancies exist between WBRS and eSPAN reports\nB.2.    Member end-of-term forms are not always processed in a timely manner\nB.3.    Interest forbearance procedures are not always followed\nB.4.    Trust investment reconciliations are not performed in a timely manner\nB.5.    National Service Trust disbursements were late\n\nAccounts Receivable and Debt Collection\n\nC. 1. VISTA receivables of $30 and under are directly written off\n(2.2. Debt collection activities are inconsistently conducted\nC.3. Cost-share agreements are not reconciled in a timely manner and discrepancies exist\n      between eSPAN and Momentum\n\nHuman Resources and Payroll\n\nD. 1. Overtime was not always approved in writing\nD.2. Controls over time sheet reporting are weak in some instances\n\nVendor Payments\n\nE. 1. Vendor payments are not always disbursed in a timely manner\n\nGeneral EDP Controls Review\n\nF. 1. Certain general controls on information security are weak\n\nAppendix B - Status of Prior-Year Management Letter Comments\n\nAppendix C - Corporation Response\n\x0cInspector General\nBoard of Directors\nCorporation for National and Community Service\n\n\n                           INDEPENDENT AUDIT OF THE\n             CORPORATION FOR NATIONAL AND COMMUNITY SERVICE\'S\n         FISCAL YEAR 2003 FINANCIAL STATEMENTS - MANAGEMENT LETTER\n\n\nIn planning and performing our audit of the financial statements of the Corporation for National and\nCommwnity Service as of and for the year ended September 30,2003, we considered the Corporation\'s\ninternal control to determine auditing procedures for the purpose of expressing an opinion on the\nfinancial statements and not to provide assurance on internal control.\n\nDuring the audit, however, we became aware of several matters that present opportunities for\nstrengthening internal control and operating efficiency. We previously reported on the Corporation\'s\ninternal control in our report dated October 3 1,2003. This letter does not affect our report dated October\n3 1,2003, on the financial statements of the Corporation.\n\nWe will review the status of these comments during our next audit of the Corporation\'s financial\nstatements. We have already discussed many of these comments and suggestions with the Office of the\nInspector General and various Corporation staff, and we will be pleased to discuss these comments in\nfurther detail at your convenience. Our comments and recommendations are attached.\n\nWe would like to express our appreciation to Corporation representatives who assisted us in completing\nour audit. They were always courteous, helpful, and professional.\n\nVery truly yours,\n\n\n\n\nAlan Rasenthal, CPA\nPartner\n\nOctober 3 1,2003\nAlexandria, Virginia\n\n\n\n\n                            -   -     -     -     -          --                  --\n\n\n                           333 North Faxfax Street + Slute 401 + Alexandria, Vlrgha 22314\n               703/836/6701+ rAx 703/836/0941 + vsvcuu.co\'rro~c~~.co~   6 IX~~\'~~ON@C~~~NCPA.COM\n\x0c                                                                                               APPENDIX A\n\n\n                           INDEPENDENT AUDIT OF THE\n             CORPORATION FOR NATIONAL AND COMMUNITY SERVICE\'S\n         FISCAL YEAR 2003 FINANCIAL STATEMENTS - MANAGEMENT LETTER\n\nCotton & Company LLP conducted the fiscal year (FY) 2003 financial statements audit of the\nCorporation for National and Community Service. During the audit we became aware of several matters\nthat present opportunities for strengthening internal control and operating efficiency. These matters are\ndiscussed in this management letter in the following categories:\n\n                Grants Management\n                National Service Trust\n                Accounts Receivable and Debt Collection\n                Human Resources and Payroll\n                Vendor Payments\n                General EDP Controls\n\nGRANTS MANAGEMENT\n\nA.1.    Office of Management and Budget (OMB) Circular A-133 audit findings are not resolved in\na timely manner.\n\nThe Corporation reviews the Federal Audit Clearinghouse (FAC) database during the award approval\nprocess to determine if grantees submitted audit reports to FAC in accordance with OMB Circular A-1 33\nand if any findings related to the Corporation.\n\nOf our sample of 32 grantees, two grantees did not resolve and close A-133 audit findings in a timely\nmanner (i.e., within one year of receipt).\n\nTo ensure that grantee internal control weaknesses and noncompliance issues are identified and properly\nresolved in a timely manner, we recommend that the Corporation ensure that FAC reviews occur on a\nregular basis to identify grantees with noted weaknesses and compliance problems prior to grant award\nfunding. We recommend that personnel responsible for resolution and closure follow up with grantees in\na timely manner to ensure that exceptions are corrected.\n\nA.2.    Grant closeout procedures do not ensure that projects are closed in a timely manner.\n\nThe Corporation has several policies regarding grant closeout. We noted, however, that effective\ncommunication among grant managers, grant specialists, and grantees does not always occur.\nCorporation personnel attempt to accommodate grantees, which sometimes results in grant closeouts not\nbeing performed in accordance with the Corporation\'s policies for timeliness. A principal cause is the\nfailure by grantees to submit final Financial Status Reports (FSRs) within the allotted 90-day period\nfollowing the end of the grant period.\n\nWe reviewed a sample of 61 closed grant files and noted that 20 files were not closed within 180 days\nfrom the end of the project period. Of these 20 files, 14 were attributed to grantees failing to submit their\ncloseout documents within the allotted 90-day period.\n\nAnother related condition is that some grantees do not submit their semi-annual FRSs in a timely manner.\nWe reviewed 5 1 open grant files and noted that 18 grantees had not submitted FSRs within the required\n30-day period. This weakness in grants management has been identified in previous management letters.\n\x0c                                                                                              APPENDIX A\n\n\nInconsistent closeout procedures place the Corporation at risk of not identifying amounts advanced to\ngrantees that should be returned to the Corporation. Furthermore, inconsistent closeout procedures\nprevent the Corporation from making timely adjustments to financial statements, if required.\n\nWe recommend that the Corporation develop a consistent method of identifying expired grants and\nenforce timely administrative closeout of these grants. Further, we recommend that the Corporation\ndevelop timelines for service center staff to request required documentation before the expiration date to\nensure that grants are closed in a timely manner. Also, we recommend that the Corporation communicate\nthe importance of semi-annual FRSs to applicable grantees and perform follow-up procedures when\ngrantees are late.\n\nNATIONAL SERVICE TRUST\n\nB.1.    Discrepancies exist between WBRS and eSPAN reports.\n\nWe reviewed reconciliation reports between the Web-Based Reporting System (WBRS) and the\nElectronic System for Programs, Agreements, and National Service Participants (eSPAN) and noted\ndiscrepancies in four of the 30 reports reviewed. In another test, member data for three out of 30 items\ntested did not agree between eSPAN and WBRS.\n\nPrevious management letters have identified this weakness. The continued presence of unreconciled\nitems on reports causes an increased report size, which may result in inefficient time management by\ncluster representatives or failure by representatives to reconcile reports at the level expected by the\nCorporation. Inaccurate information in eSPAN could cause errors in the disbursement of education\nawards and inaccuracies in the computation of the National Service Award Liability for financial\nstatement purposes.\n\nWe recommend that the Corporation establish policies and procedures to ensure that WBRS and eSPAN\nreports are reconciled, and discrepancies are identified, resolved, and cleared from reports in a timely\nmanner.\n\nB.2.    Member end-of-term forms are not always processed in a timely manner.\n\nWe reviewed 30 files of National Service Trust members and noted that 1 1 exited members were not\nprocessed in a timely manner. Of these, eight members were processed between 30 and 60 days, one was\nprocessed after 85 days, one was processed after 180 days, and one was processed after 330 days.\n\nPrevious management letters have identified this problem. Delays in processing member exit information\ncould impact calculation of the National Service Award Liability and related expenses.\n\nWe recommend that the Corporation re-emphasize the importance of timely processing member exit\ninformation within the allotted 30-day period following a member\'s completion of service.\n\nB.3.    Interest forbearance procedures are not always followed.\n\nCorporatiop policies require that interest forbearance payments over $5,000 be approved by the\nSupervisor of the Trust. Six payments over $5,000 were made during FY 2003, and the Supervisor did\nnot approve two of these payments.\n\nWe recommend that the Corporation re-emphasize the importance of following this approval policy and\nperiodically run reports to ensure that all interest forbearance requests over $5,000 are verified and\napproved before payment.\n                                                      2\n\x0c                                                                                           APPENDIX A\n\n\n\nB.4.   Trust investment reconciliations are not performed in a timely manner.\n\nThe Corporation did not reconcile the Trust investment subsidiary ledger (QuickBooks) to the general\nledger (Momentum) in a timely manner. As of September 30, the July and August reconciliations had not\nbeen prepared. During our review of the May reconciliation, we found that prepaid interest from\ninvestment and interest receivable was incorrectly posted in Momentum. Interest receivable was\noverstated by $155,929 and was not corrected until year end. Had the Corporation performed the\nreconciliation in a timely manner, these errors could have been detected and possibly corrected in the\nnormal course of business.\n\nWe recommend that the Corporation establish and enforce a policy of timely reconciliations and that the\nTrust Supervisor be responsible for ensuring that reconciliations are performed and all differences are\nresolved.\n\nB.5.    National Service Trust disbursements were late.\n\nWe reviewed 45 Education and Interest Forbearance award payments and noted that four disbursements\nwere made after the allotted 30-day period. These delays inconvenience members and result in a\nmisstatement of the Trust liability. Discussion with the Trust Supervisor indicated that mechanical\nproblems with the imaging software were the cause of these delayed payments. Trust staff were,\nhowever, unaware of the problem until a member inquired about the status of a payment.\n\nWe recommend that the imaging software be upgraded to prevent this situation from recurring. We also\nrecommend that procedures be implemented to track the timeliness of all award payments and that the\nTrust staff be required to document the reason for any delays in excess of 30 days.\n\nACCOUNTS RECEIVABLE AND DEBT COLLECTION\n\nC.1.    VISTA receivables of $30 and under are directly written off.\n\nWe noted during our review of VISTA receivables that the Corporation is unable to automatically age\nthese receivables. Because the procedure is manual, it is only performed annually. To facilitate this\nmanual process, the Corporation has decided to write off any VISTA receivable of $30 and under. While\nthe direct write-off method is contrary to generally accepted accounting principles (GAAP), the amounts\nare too small to have a significant impact on financial reporting. We found no documentation to support\nthis departure fiom GAAP or to document the policies and procedures regarding execution of this\nactlvity .\n\nWithout policies and procedures, proper monitoring may not occur, resulting in debt being written off\nwithout supporting documentation or research to determine why it is outstanding. One of the causes of\nthe VISTA receivables problem is that sponsor verification reports were not always submitted to State\noffices by sponsor organizations in a timely manner. In two of 30 cases reviewed, reports were not\nsubmitted. These two instances did not result in overpayments, but the possibility for overpayment exists.\n\nBecause the Corporation cannot automatically age these receivables, we recommend that it completely\ndocument the reason for the departure from GAAP. The Corporation should also document procedures\nfor executing write-offs and the level of supporting documents required for such a transaction.\nAdditionallp, we recommend that the Corporation emphasize the importance of sponsor verification\nreports andlstrengthen monitoring of delinquent sponsors. The Corporation should also require all\nsponsors to have alternate personnel available to perform these functions when needed.\n\x0c                                                                                          APPENDIX A\n\n\nC.2.   Debt collection activities are inconsistently conducted.\n\nDebt collection activities are not consistently conducted in accordance with Corporation policies and\nprocedures. We reviewed eight cost-share agreements and identified one agreement with delinquent\npayments. We also reviewed five VISTA members and identified three members with outstanding debt.\n\nWe recommend that the Corporation review and emphasize debt collection policies to Corporation staff,\nand implement monitoring procedures to ensure that policies are followed.\n\nC.3.   Cast-share agreements are not reconciled in a timely manner and discrepancies exist\nbetween eSPAN and Momentum.\n\nWe reviewed eight closed cost-share agreements (CSAs) and noted that two were not reconciled in a\ntimely manner following the end of the cost-share period. Two other agreements contained discrepancies\nbetween expenses recorded in eSPAN and revenues recorded in Momentum. Attempts to fix these two\nCSAs resulted in an unsupported special voucher and an outstanding difference. In these cases, there was\na lack of communication between the program specialist and accounting personnel, and a lack of\nsupporting documentation to research adjustments. The effect is that revenue can be misstated in\nMomentum.\n\nWe recommend that the Corporation establish reconciliation criteria for CSAs and require that every\nadjustment in eSPAN be fully documented. We also recommend that all discrepancies between eSPAN\nand Momentum be researched and resolved in a timely manner.\n\nHIJMAN RESOURCES AND PAYROLL\n\nD.1.    Overtime was not always approved in writing.\n\nWe reviewed time sheets and noted that overtime was recorded in four instances. Evidence of overtime\napproved in writing in advance was missing in three of the four instances. We verified the policy\nrequiring advance written approval of overtime with human resource management. This policy is not\nclearly documented or correctly applied. Although an overtime approval form does exist, it is not\nconsistently used. Failure to attach this form to time sheets limits the monitoring abilities of the\ntimekeeper. Unapproved overtime may be misused by employees and may not be budgeted for by\nsupervisors.\n\nWe recommend the Corporation clearly document and distribute this advance written approval policy and\nallow timekeepers to reject time sheets without proper attachments.\n\nD.2.    Controls over time sheet reporting are weak in some instances.\n\nWe noted other isolated instances in which controls over time sheet reporting are weak. We identified\none instance in which a time sheet was inaccurately entered into the Personal Computer Time and\nAttendance for Remote Entry (PC-TARE) system. We noted another instance in which leave approvals\nexceeding 24 hours were not maintained in personnel files. We also noted one instance of compensatory\ntime being earned without prior written approval, and one time sheet was not initialed by the timekeeper\nas evidence of review.\n\nWe recommend that the Corporation implement procedures to improve the accuracy of transferring time\nsheet data into PC-TARE. We also recommend that existing policies addressing leave approval be re-\nemphasized to Corporation staff. Finally, we recommend that timekeepers perform a quality review of\neach time sheet before submission and initial each time sheet to document this review.\n                                                    4\n\x0c                                                                                             APPENDIX A\n\n\n\n\nVENDOR PAYMENTS\n\nE.1.    Vendor payments are not always disbursed in a timely manner.\n\nWe reviewed 108 procurements, and found 34 procurement disbursements that were paid in excess of 30\ndays. The Corporation appropriately included interest when disbursing these late payments, which\nprevented violations of the Prompt Payment Act. Also, the interim balances of accounts payable were\nunderstated by $163,889. One reason for the delay is that certain contracts have to be verified by several\noffices to ensure that goods and/or services have been provided before vendor payments are made.\n\nWe recommend that the Corporation place stricter controls over responsible offices, re-emphasize the\nimportance of timely payments, investigate offices with delinquent payments, and resolve bottlenecks in\nthe disbursement process.\n\nGENERAL EDP CONTROLS REVIEW\n\nP.1.    Certain general controls on information security are weak.\n\nAs part of the FY 2003 audit, we reviewed controls over systems that process and report information in\nsupport of the Corporation\'s annual financial statements. We also reviewed network access controls used\nto secure and safeguard financial information traveling over the network. This review was conducted\nunder the guidelines of the General Accounting Office\'s (GAO) Federal Information Systems Control\nAudit Manual (FISCAM).\n\nThe systems included in our audit were:\n\n                Windows NT and 2000 servers (network)\n                Momentum Financial System\n                Electronic System for Programs, Agreements, and National Service Participants (eSPAN)\n                eGrants\n                Health and Human Services Payment Management System (HHSIPMS)\n                Web-Based Reporting System (WBRS)\n                National Finance Center PersonnelIPayroll System (NFCIPPS)\n\nWe relied upon special publications and guidelines developed by the National Institute of Science and\nTechnology (NIST); guidelines developed by the National Security Agency (NSA); OMB Circulars A-\n123, A-127, and A-130 (Appendix 111); and Control Objectives for Information and Related Technology\n(CobiT) as review criteria.\n\nIn conducting our review of internal control over information technology (IT), we reviewed controls in\nthe following FISCAM categories:\n\n                 Entity-wide security program planning and management\n         w       Access controls\n                 Application software development and program change controls\n         w       System software controls\n                 Segregation-of-duty controls\n                 Service continuity controls\n\nWithin these six review areas, we noted three conditions in which the information security general control\nenvironment is weak. While the Corporation has practices in place, it does not have formal, documented\n                                                     5\n\x0c                                                                                                APPENDIX A\n\n\npolicies and procedures in place for all practices. In addition, we found that technical controls and\npractices were lacking in the network operating systems. Also, technical control deficiencies within the\ngeneral support systems and network weakened controls within financial applications. This reduces the\nreliability, integrity, and confidentiality of the financial data used to prepare the Corporation\'s financial\nstatements.\n\nThe instances we noted are discussed below.\n\n                 The current Windows NT and 2000 domain controllers are not configured in compliance\n                 with NIST, NSA, and regulations.\n\n         rn      Documentation of policies, procedures, and standards is not in place for some areas,\n                 including:\n\n                          Rules of behavior within application system security plans.\n\n                          Program manager sign-off to approve system use within certification and\n                          accreditation packages.\n\n                          Account reviews for all systems.\n\n                          Minimum baseline for password standards to be used in defining security\n                          requirements for systems.\n\n                          System development life cycle policy to include more specific criteria and\n                          processes to perform when selecting commercial off-the-shelf software.\n\n                          Changing and implementing systems.\n\n                          Methodology for reviewing access to sensitive utilities.\n\n                          Processing priorities not included in the business function report section of the\n                          Disaster Recovery PlanJCOOP.\n\n                          A final approved Overall Security Program Plan was not in place for most of the\n                          reporting year.\n\n                  The application programmer, who also acted as the backup database administrator\n                  (DBA), had access to the production environment and, in turn, possessed the ability to\n                  change applications and place changes into production. Management implemented\n                  corrective actions during our review to mitigate this matter, and, accordingly, this issue is\n                  considered closed.\n\nTo correct the above issues, we recommend that the Corporation\'s Office of Information Technology\n(01T):\n\n                  Review deficiencies identified by the audit team for the Windows 2000 server\n                  configurations and take corrective actions to ensure that the configuration is in line with\n                  NIST and NSA guidelines. To correct the Windows NT deficiencies, we recommend that\n                  OIT complete its efforts to fully migrate from Windows NT to Windows 2000.\n\n                  Document policies, procedures, and standards, as follows:\n                                                        6\n\x0c                                                                      APPENDIX A\n\n\n\n\nDevelop and document rules of behavior specific to major financial applications\nand include them in the security plan for each application.\n\nModify written procedures for conducting system certification and accreditation\nto require the program manager, or system owner, to acknowledge awareness of\nresidual risks and accept the associated risk of having the particular system in\nproduction.\n\nDevelop fully documented procedures for the methodology and frequency of\naccount reviews currently conducted by OIT for the network platforms and\nfinancial applications.\n\nDocument a minimum baseline configuration for passwords that must be adhered\nto within all Corporation systems and applications.\n\nModify the current Corporation system development life cycle to include\nprocedures and processes for selecting commercial off-the-shelf software\nproducts, and procedures that ensure that these products meet the Corporation\'s\nsecurity standards and needs.\n\nDevelop policies requiring future system implementations and changes, including\nthe network operating system, to be fully documented by detailing the reason for\nthe change, all planning decisions, and the final outcome of the implementation\nor change.\n\nDevelop written procedures for reviewing lists of individuals with\nadministrative-level access to the network, and individuals with access to\nsensitive system and developer utilities, to ensure that all individuals continue to\nrequire such privileges in the performance of their assigned duties.\n\nModify the Disaster Recovery PladCOOP to include a business function report\nsection, which should note the priority of restoring the respective applications\nand systems.\n\nFinalize efforts to implement a documented and approved entity-wide security\nprogram that will provide overall security policies and procedures to act as an\numbrella for all IT systems and operations. Also, document procedures for\nperiodically reviewing and updating the program to ensure that it meets current\nbusiness and technology needs.\n\x0c                                                                                            APPENDIX B\n\n\nSTATUS OF PRIOR-YEAR MANAGEMENT LETTER COMMENTS\n\nFiscal Year 2002 Management Letter Comment               Fiscal Year 2003 Status\n4.1 Oversight of OMB Circular A- 133 reporting           Management has fully implemented\nshould be improved.                                      corrective actions to address this issue. This\n                                                         issue is closed. A new issue related to A-133\n                                                         reporting is reported.\n4.2 Site visit report monitoring should be improved.     This issue remains open.\n4.3 Grant oloseout procedures should be improved.        This issue remains open.\n4.4 Grant approval should be improved.                   Management has fully implemented\n                                                         corrective actions to address this issue. This\n                                                         issue is closed.\n    The process of reviewing Web-Based Reporting         This issue remains open.\nSystem (WBRS) Reconciliation Reports should be\nstrengthened.\nB.2 Member end-of-term forms are not always              This issue remains open.\nprocessed in a timely manner.\nB.3 Certain members inappropriately received service     Management has fully implemented\nawards.                                                  corrective actions to address this issue. This\n                                                         issue is closed.\nB.4 Overpayment of Education Awards.                     Management has partially implemented\n                                                         corrective actions to address this issue. The\n                                                         issue related to Trust Director approval of\n                                                         interest forbearance awards over $5,000\n                                                         remains open.\nB.5 The Corporation\'s methodology for calculating the    Management has fully implemented\nService Award Liability estimate needs to be reviewed.   corrective actions to address this issue. This\n                                                         issue is closed.\nB.6 Improvements to Access Controls for the System       Management has fully implemented\nfor Programs, Agreements, and National Service           corrective actions to address this issue. This\nParticipants (eSPAN) need to be completed.               issue is closed.\nE7 Database Integrity for the System for Programs,       This issue remains open.\nAgreements, and National Service Participants\n(eSPAN) periodically needs systematic review.\nC.1 The Corporation\'s methodology for aging              Management has fully implemented\nreceivables needs to be reviewed.                        corrective actions to address this issue. This\n                                                         issue is closed. A new issue related to\n                                                         receivables is being reported.\nD.l SF 133 reporting should be improved.                 Management has fully implemented\n                                                         corrective actions to address this issue. This\n                                                         issue is closed.\n--\nE.1 Procedures should be established to monitor          Management has fully implemented\ncompliance with NCSA Subsection 129(b) [42 U.S.C.        corrective actions to address this issue. This\n12581(b)].                                               issue is closed.\n--\n\x0c                                                                                              APPENDIX B\n\n\nFiscal Year 2002 Management Letter Comment                  Fiscal Year 2003 Status\nF.l Relianae cannot be placed on automatic controls for Management has fully implemented\nVISTA volunteer payments.                               corrective actions to address this issue. This\n                                                        issue is closed.\nG.l Procedures should be established for the                OIT uses contractors to perform certifications\nperformanae of risk assessments.                            and accreditations, which include risk\n                                                            assessments. Contractors are instructed to\n                                                            follow OMB guidance in performing risk\n                                                            assessments. This issue is closed.\nG.2 The Business Continuity and Contingency Plan            This issue is closed. The BCCP is updated\n(BCCP) should be updated and tested.                        and tested annually.\n-\nG.3 Specific policies, procedures, and controls should      This issue remains open. While OIT has\nbe established for transactions that flow across multiple   documented system interconnections within\nsystems.                                                    their system design documents, details of the\n                                                            connections and the security over the\n                                                            connections are not included in the written\n                                                            system security plans.\n\x0c                                                                                        APPENDIX C\n                                              CORPORATION\n                                              FOR NATIONAL\n                                                     AND ---\n                                              C O M M U N I T Y\n\n\n\n\n         MEMORANDUM\n\n         Date:          January 8,2004\n\n         To:            Dan Lybert, Assistant Inspector General for Audit\n\n         From:          Bill Anderson, Deputy CFO for Financial\n\n         Subject:       Fiscal 2003 Management Letter\n\n\n         Thank you for the opportunity to comment on the draft management letter on the results\n         of the fiscal 2003 financial audit. The Corporation is pleased that it continues to receive\n         a clean opinion on its financial statements and that the audit found continued\n         improvement in our internal controls. The management letter recommends several areas\n         for further improvement. The Corporation\'s response to each recommendation is\n         outlined below. In addition, the Corporation has completed action on eight of the 14\n         issues included in the report; therefore, this response serves as notice of final action for\n         those items.\n\n         Grants Management\n\n         Recornmen dation A. I :\n\n         The Corporation should ensure that Federal Audit Clearinghouse reviews occur on a\n         regular basis to identify grantees with noted weaknesses and compliance problems prior\n         to grant award funding. Personnel responsible for resolution and closure should follow\n         up with grantees in a timely manner to ensure that exceptions are corrected.\n\n         Corporation Response:\n\n         The Corporation concurs with this recommendation. The audit report indicated that two\n         out of 32 OMB Circular A-133 audits were not resolved within the one-year timeframe.\n         This does happen on occasion with grantees, particularly for organizations in which the\n         specific grantee is part of a larger A-133 report and the Corporation is not directly\n         responsible for taking corrective action on findings. The Corporation recently filled a\n         GrantdFinancial Analyst position that will oversee the A-1 33 audit resolution process\n         and work with other staff to track and ensure timely resolution. The Corporation also\n         established an A-133 database to track the resolution process in 2003. It is fully\n         operational and will help the GrantsIFinancial Analyst ensure resolution is completed on\n         time. [Corrective Action Completed]\n\n\n                                                                                                              \'"\n1201 New York Avc., N.W. Washington, DC 20525 202-606-5000 www.nationalservice.org                   =\n                                                                                               A proud part\n                                                                                               USAS\n                                   Senior Corps AmeriCorps Learn and Serve America\n                                                10                                             Freedom Corps\n                                                                                               The Pres~dcnt\'sCall to S c ~ c c\n\x0c                                                                             APPENDIX C\n\n\n\n\nf i e Corporation should develop a consistent method of identifying expired grants and\n&force timely administrative closeout of these grants; develop timelines for service\ncenter staff to request required documentation before the expiration date to ensure that\ngrants are closed in a timely manner; and communicate the importance of semi-annual\nFRSs to applicable grantees and perform follow-up procedures when grantees are late.\n\nCorporation Response:\n\nThe Corporation concurs with this recommendation. In 2003, the Corporation began\nmanaging its grants through an electronic system, eGrants. eGrants includes a module\nfor grant closeout which will be used in 2004. Ln eGrants, grantees receive reminders\nwhen final FSRs and other required closeout documents are due. They also receive\nnotifications when reports are late. Corporation staff is also notified automatically if\nreports are late so they can follow up with grantees. In addition, the grants staff is\ndeveloping an automatic process in eGrants to identify grantees who are over 45 days late\nwith their reports. The Corporation can then suspend access to grant funds through the\nPayment Management System until the reports are submitted. [Corrective Action\nCompleted]\n\n\nNational Service Trust\n\nReconr mendatiorz B. I :\n\nThe Corporation should establish policies and procedures to ensure that WBRS and\neSPAN reports are reconciled, and discrepancies are identified, resolved, and cleared\nfrom reports in a timely manner.\n\nCorporation Response:\n\nThe Corporation concurs with the recommendation. Grants staff is working with the\nOffice of Information and Technology to alleviate the need for our dual system process.\nSpecifically, planning and development is underway to combine the components of\nWBRS into the eSPAN system. In the interim the Corporation will review its\nreconciliation procedures to ensure that discrepancies are resolved on a timely basis.\n\x0c                                                                            APPENDIX C\n\n\n\nRecommendation B.2:\n\nf i e Corporation should re-emphasize the importance of timely processing of member\nexit information within the allotted 30-day period following a member\'s completion of\nservice.\n\nCorporation Response:\n\nThe Corporation concurs with the recommendation. A letter was sent to WBRS users by\nthe acting CEO to re-emphasize the need for timely posting of end-of-term documents.\nWe will also issue periodic reminders. [Corrective Action Completed]\n\n\n\nThe Corporation should re-emphasize the importance of following its interest forbearance\napproval policy and periodically run reports to ensure that all interest forbearance\nrequests over $5,000 are verified and approved before payment.\n\nCorporation Response:\n\nThe Corporation concurs with the recommendation. The two payments made without\nDirector approval occurred during a period of transition in the management of the trust\nstaff. The new Supervisor of the Trust has re-emphasized the need to have all payments\nover $5,000 verified and approved by the Supervisor in advance of processing.\n[Corrective Action Completed]\n\nRecommendation B.4:\n\nThe Corporation should establish and enforce a policy of timely reconciliations of its\ninvestment balances and the Trust Supervisor be responsible for ensuring that\nreconciliations are performed and all differences are resolved.\n\nCorporatiorr Response:\n\nThe Corporation concurs with the recommendation. Reconciliations of the investment\nsubsidiary ledger to the Corporation\'s general ledger are performed in a timely manner\nand approved by the Supervisor of the Trust. The delays noted during the audit occurred\nduring a period of transition in the management of the trust staff. [Corrective Action\nCompleted]\n\x0c                                                                           APPENDIX C\n\n\n\n\nf i e Corporation should upgrade its imaging software; implement procedures to track the\ntimeliness of all award payments; and require Trust staff to document the reason for any\ndelays in excess of 30 days.\n\nCorporation Response:\n\nThe Corporation concurs with the recommendation. We are reviewing the imaging\nsystem to determine the feasibility of changes to ensure that problems are discovered and\nresolved timely. Additionally, new procedures will be implemented to monitor\ntransactions posted to the &PAN database. Trust staff have been advised to document\nany delays or problems in posting these transactions.\n\n\nAccounts Receivable and Debt Collection\n\nReconrmendation C.1:\n\nThe Corporation should completely document its debt collection policy and procedures\nfor executing write-offs and the level of supporting documents required for such a\ntransaction; emphasize the importance of sponsor verification reports and strengthen\nmonitoring of delinquent sponsors; and require all sponsors to have alternate personnel\navailable to perform these functions when needed.\n\nCorporatiotl Response:\n\nThe Corporation concurs with the recommendation. Corporation policies 400 - Debt\nCollection, and 801 - AmeriCorps*VISTA Cost Share Agreements, document the\nCorporation\'s policy and procedures for debt collection.\n\nIn addition, an August 2003 policy memorandum documents the VISTA receivable\nthreshold for adjustment (the threshold was raised to $40 in the August 2003\nmemorandum). The memorandum also provides policy guidance. However, in fiscal\n2004, amounts related to VISTA payroll will no longer be classified as a write-off but an\nadjustment charged to the VISTA budget. When the payroll costs are incurred for $40 or\nless, the charge will be directly posted to the VISTA budget via the payroll process. No\nreceivable will be established. Thus, these items will not be aged.\n\nThe Corporation continues to stress the importance of timely reviewing of verification\nreports and to include adequate backup for the review with sponsoring organizations.\nThe Corporation sends sponsors verification reports each pay period with instructions to\ncomplete the review. In addition, the Corporation is developing an on-line process which\nwill allow the sponsors to communicate and confirm the continued service of all\nparticipants via eGrants. Once implemented, the on-line process will replace the sponsor\nverification report.\n\x0c                                                                             APPENDIX C\n\n\n\n\nRecommendation C.2:\nca\n\n\n\nThe Corporation should review and emphasize debt collection policies to Corporation\nstaff and implement monitoring procedures to ensure that policies are followed.\n\nCorporation Response:\n\nThe Corporation concurs with the recommendation. We have and will continue to\nemphasize the debt collection process and procedures with staff. In addition, we are\nutilizing new aging reports first completed in fiscal 2003 and will continue to identify and\ncollect on outstanding debt. [Corrective Action Completed]\n\nRecommendation C.3:\n\nThe Corporation should establish reconciliation criteria for Cost Share Agreements and\nrequire that every adjustment in eSPAN be fully documented and research all\ndiscrepancies between eSPAN and Momentum in a timely manner.\n\nCorporation Response:\n\nThe Corporation concurs with the recommendation. The two cost-shares identified\nduring the audit as not reconciled timely have documented issues that need to be resolved\nbefore completing the reconciliation. These efforts will continue until resolved. In\naddition, the Corporation is working to improve the lines of communication among staff\nand ensure proper supporting documentation is received in the future. [Corrective Action\nCompleted]\n\n\nHuman Resources and Payroll\n\n\n\nThe Corporation should clearly document and distribute its policy on obtaining advance\nwritten approval for overtimelcomptime and allow timekeepers to reject time sheets\nwithout proper attachments.\n\nCorporation Response:\n\nThe Corporation concurs with the recommendation. An email was sent to all employees\nreminding them of the policy for ensuring that all overtime/comptime is approved in\nwriting prior to the earning of the overtime, in addition to some other timekeeping issues\nthat we wanted to re-emphasize to all employees. [Corrective Action Completed]\n\x0c                                                                          APPENDIX C\n\n\n\nRecommendation 0 . 2 :\n\n?\'he Corporation should implement procedures to improve the accuracy of transferring\ntime sheet data into PC-TARE; reemphasize existing policies addressing leave approval\nto Corporation staff; and require timekeepers to perform a quality review of each time\nsheet before submission and to initial each time sheet to document this review.\n\nCorporation Response:\n\nThe Corporation concurs with the recommendation. The Corporation is migrating to a\nnew payroll system in fiscal 2004. All timekeepers will receive training on the system.\nThe Office of Human Resources will go over all of their timekeeping responsibilities and\nre-emphasize to them the importance of their role as timekeeper and their\nresponsibilities.\n\n\nVendor Payments\n\n\n\nThe Corporation should place stricter controls over responsible offices, reemphasize the\nimportance of timely payments, investigate offices with delinquent payments, and resolve\nbottlenecks in the disbursement process.\n\nCorporation Response:\n\nThe Corporation concurs with the recommendation. The Corporation adheres to the\nPrompt Pay Act. The parameters in the Momentum financial system are designed to\nensure the proper treatment of transactions as they pertain to the Act. The Accounting\nOffice will work with staff that have vendor payment responsibility to ensure they are\ntrained in the overall payment process and the Prompt Pay Act. The Accounting Office\nrecently conducted teleconferences with field offices and met with Executive Officers to\nemphasize the overall prompt payment controls and responsibilities. The Accounting\nOffice also reemphasized the importance of prompt review of multi-task invoices. The\nCorporation will also review other possible enhancements including separate invoicing\nper task for future contracts that are issued. [Corrective Action Completed]\n\n\nGeneral EDP Controls Review\n\nRecommendation F. 1:\n\nThe Corporation\'s Office of Information Technology should review deficiencies\nidentified by the audit team for the Windows 2000 server configurations and take\ncorrective actions to ensure that the configuration is in line with NIST and NSA\nguidelines. To correct the Windows NT deficiencies, we recommend that OIT complete\n\x0c                                                                               APPENDIX C\n\n\n\nits efforts to fully migrate from Windows NT to Windows 2000 and document policies,\nprocedures, and standards, as follows:\n\n   Develop and document rules of behavior specific to major financial applications and\n   include them in the security plan for each application.\n\n   Modify written procedures for conducting system certification and accreditation to\n   require the program manager, or system owner, to acknowledge awareness of residual\n   risks and accept the associated risk of having the particular system in production.\n\n   Develop fully documented procedures for the methodology and frequency of account\n   reviews currently conducted by OIT for the network platforms and financial\n   applications.\n\n   Document a minimum baseline configuration for passwords that must be adhered to\n   within all Corporation systems and applications.\n\n   Modify the current Corporation system development life cycle to include procedures\n   and processes for selecting commercial off-the-shelf software products, and\n   procedures that ensure that these products meet the Corporation\'s security standards\n   and needs.\n\n   Develop policies requiring future system implementations and changes, including the\n   network operating system, to be fully documented by detailing the reason for the\n   change, all planning decisions, and the final outcome of the implementation or\n   change.\n\n    Develop written procedures for reviewing lists of individuals with administrative-\n    level access to the network, and individuals with access to sensitive system and\n    developer utilities, to ensure that all individuals continue to require such privileges in\n    the performance of their assigned duties.\n\n    Modify the Disaster Recovery PlanfCOOP to include a business function report\n    section, which should note the priority of restoring the respective applications and\n    systems.\n\n    Finalize efforts to implement a documented and approved entity-wide security\n    program that will provide overall security policies and procedures to act as an\n    umbrella for all IT systems and operations. Also, document procedures for\n    periodically reviewing and updating the program to ensure that it meets current\n    business and technology needs.\n\nCorparation Response:\n\nThe C\'orporation agrees that its domain controllers are not configured in accordance with\nall of the recommended parameters that have been issued by NIST and NSA. However,\n\x0c                                                                           APPENDIX C\n\n\n\nthe Corporation has concluded that its domain controllers are operating in an\nappropriately secure manner and that the current configurations have been set in\ndcordance with the industry\'s best practices. For the Windows 2000 domain, the\nCorporation will develop a process by which it will acknowledge the guidelines that are\nset by NIST and NSA and, if configurations are not set in accordance with the guidelines,\na justification as well as the documentation to support the Corporation\'s configured\nsetting will be maintained. This process will be in place by April 1, 2004. For the\nWindows NT domain, the Corporation continues to migrate functionality into the\nWindows 2000 domain currently and plans to complete the migration by June 1, 2004.\n\nThe Corporation agrees that system documentation needs to be updated. During fiscal\nyear 2003 well over 100 documents were created that detail many aspects of the\nInformation Technology environment at the Corporation. The Corporation is also\ndeveloping a documentation methodology that will include the review of all system\ndocumentation. This methodology will be in place by February 1,2004, with the\ndocun~entslisted in the management letter being created or updated by May 1, 2004, and\nthe remainder of all Information Technology documentation being reviewed by\nDecember 3 1 , 2004.\n\x0c'